Solved: Web Traffic Appears to be Incorrectly Redirected by Firewall

haggittmark@tm-america.com · ‎05-13-2019

Externally, people are unable to reach our website - aaa-aa.com. Internally, we can resolve the site with no problem by ip and name. From the outside, via hot spot, from home, and based on complaints from suppliers, the website does not seem to exist. However, an NSLOOKUP on 8.8.8.8 for aaa-aa.com does resolve our name to the correct .aaa IP address. We check with our domain host, and those records are pointing to the right address too.

My boss has determined it is not a problem with IIS or any connected internal service. Inside is fine, outside is the problem. Aaa-aa.com should currently not be available because of this problem. Normally, it would resolve our company website.

Bb-bbbbbbb.com is for our primary address (email, etc.). At its most basic, you should not get a response unless you change ports or add more to the URL.

The bulk of our internal client traffic leaves our building on one of our IP addresses - x.x.x.bbb. This is our Exchange IP, and also standard traffic. Currently, and it should not be, our web server is sending web traffic to the .bbb address. When we google “what is my ip address” we get the .bbb. When we do a “shields up” search, it also probes the .bbb address. Traffic from this server should be from .aaa, inbound and outbound.

I have looked over our firewall routes. From what I can discern, our entries are correct and have not changed in over a month. Our internal x.x.x.aaa (web server) should route to external x.x.x.aaa. We even opened and additional 8080 port just to make sure that our ISP was not blocking 80 for some reason. We even added an “any/any ip” rule for about 10 minutes at the beginning of our ACL list, and were still unable to access our website externally. I tried configuring a different ASA and substituting that and had no luck.

Between 4:30-5a Wednesday morning, external traffic stopped and only internal IP addresses were listed. The Windows software firewall has always been “off” and still is.

We are at a loss. We have called our ISP and they claim they are not blocking any ports and that our ip addresses are correct and working. The same is true for our domain host. To me, it seems that something is routing our traffic to the wrong IP address. Externally, NSLOOKUP shows the correct destination IP. I thought maybe our firewall is redirecting traffic, but we can’t if that either. We need a fresh set of eyes.

Giuseppe Larosa · ‎05-14-2019

Hello,

you must do the test from outside to inside

packet-tracer input inside tcp 192.168.130.xxx 80 208.104.124.aaa 1

change to

packet-tracer input outside tcp 200.200.200.200 1234 80.208.104.aaa 80

and post the results

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-14-2019

Hello,

this is good news.

You had written that you had tried to change the ASA device with another one with no changes and that the configuration has been working for a long time.

These two made me think that something has been changed on the ISP side.

I think the right test with packet tracer should have shown that the ASA config is correct.

You can now ask to the ISP to fix the issue on their side.

Hope to help

Giuseppe

View solution in original post

paul driver · ‎05-13-2019

Hello

I assume all your unsuccessful connectios are occurring from not only company assigned pcs it fails not matter what external host you try it from?

What does the nat table show ?

Can you externally telnet to the web server on its open port via ip or its FQDN if so then it isn't the routing

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

haggittmark@tm-america.com · ‎05-13-2019

The connections fail at home and personal cell phones. We used IE, Firefox, and Chrome.

I am unable to telnet (That’s a good thing right? I wouldn’t want anyone to externally telnet in?)

What is “or its fade”

The NAT has the right translation address listed. How do I see the NAT table?

Giuseppe Larosa · ‎05-13-2019

Hello Transaxle,

it looks like that NAT configuration on the ASA is not correct anymore for the web server.

As suggested by Paul what happen if you try to telnet to port 80 on the x.x.x.bbb public IP address from internet?

Do you reach the web server ?

And what happens if you try to telnet to port 80 on x.x.x.aaa from internet ?

Another possibility is that for some reason the private internal IP address of the web serber has changed and so the firewall is not able to send to it the incoming web connections (if the firewall attempts to send them to the old private address)

You should post the NAT configuration of your ASA, just mask the public IP addresses for security.

And the NAT table on the ASA.

Hope to help

Giuseppe

haggittmark@tm-america.com · ‎05-13-2019

Let me try your suggestions. I think I understand it better.

haggittmark@tm-america.com · ‎05-13-2019

telnet xxx.xxx.xxx.aaa:80 and .bbb:80 both fail

I'm checking on the other suggestion.

haggittmark@tm-america.com · ‎05-13-2019

In the ASDM, the NAT looks correct. I'm thinking about posting the NAT and checking the Web Server address again.

haggittmark@tm-america.com · ‎05-13-2019

I the routing table, (haven't forgotten about getting the NAT and it's table), I see this summarization and then an explicit static address: (I'm assuming the xxx.xxx.xxx.0 includes the .aaa network. the first three octets of both are the same)

C xxx.xxx.xxx.0 255.255.255.0 is directly connected, outside
L xxx.xxx.xxx.bbb 255.255.255.255 is directly connected, outside

Giuseppe Larosa · ‎05-13-2019

Hello,

>> 'm assuming the xxx.xxx.xxx.0 includes the .aaa network. the first three octets of both are the same

Yes from a routing point of view it is correct.

We now know that x.x.x.bbb is the outside IP address of your ASA firewall.

You should look at the NAT table now t find out if there is any entry for xxx.xxx.xxx.aaa TCP port 80 mapping to an internal address TCP port 80.

Edit:

a troubleshooting guide for NAT on ASA

see

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html

Edit2:

the packet tracer CLI can be useful see the following example and change addresses to your case

packet-tracer input outside tcp 209.165.200.225 1234 172.18.22.1 80

it should show how packets for xxx.xxx.xxx.aaa port 80 arriving from outside are processed.

Hope to help

Giuseppe

haggittmark@tm-america.com · ‎05-13-2019

Okay, thanks. I'm checking it out now. thanks for sticking in there with me.

haggittmark@tm-america.com · ‎05-13-2019

haggittmark@tm-america.com · ‎05-13-2019

In this picture, WebPortalOutside represents the xxx.xxx.xxx.aaa address that is correct.

haggittmark@tm-america.com · ‎05-13-2019

Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static FTP_server FTP_server_outside
translate_hits = 5452, untranslate_hits = 0

3 (inside) to (outside) source static Exchange_server_443 interface service tcp https https
translate_hits = 0, untranslate_hits = 27935

5 (inside) to (outside) source static Exchange_server_80 interface service tcp www www
translate_hits = 0, untranslate_hits = 5274

11 (inside) to (outside) source static WebPortal443 WebPortalOutside service tcp https https
translate_hits = 0, untranslate_hits = 0
12 (inside) to (outside) source static WebPortal80 WebPortalOutside service tcp www www
translate_hits = 0, untranslate_hits = 0
13 (inside) to (outside) source static WebPortal8080 WebPortalOutside service tcp 8080 8080
translate_hits = 0, untranslate_hits = 0

15 (outside) to (outside) source dynamic VPN_subnet interface
translate_hits = 16276, untranslate_hits = 1
16 (inside) to (outside) source dynamic Inside_iii.iii.0.0-16 interface
translate_hits = 535774, untranslate_hits = 76877

paul driver · ‎05-13-2019

Hello

Looks like your web traffic is hitting rules 3/5 and not 11-13, Have you checked to make sure the nat rulle are in the correct order?

Can you post the run config for this nat translation ( if applicable)
Maybe run a packet tracer for testing-
packet-tracer input outside tcp <public ip> 443 Exchange_server_443 443
packet-tracer input outside tcp <public ip> 80 Exchange_server_80 80

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

haggittmark@tm-america.com · ‎05-13-2019

This had been working for years. I didn't make any changes of that type, but I am still looking into the artical and I am double-checking all your suggestions. Could a NAT appear to work correctly and then stop working correctly